One In Four NHS Trusts Spent No Money On Cybersecurity

WannaCry lessons? In the past year, a quarter of NHS spent absolutely nothing on cyber-security training

Security specialist Redscan has published an alarming survey which reveals the differing levels of cyber-security spending across the NHS.

Redscan submitted Freedom of Information requests to 226 NHS trusts in total, reported the FT. Of these, 43 confirmed they had not allocated any funding for cyber security training or expertise between August 2017 and August 2018. Sixty-seven trusts failed to respond.

That shocking admission was offset by the news that those NHS trusts instead relied on the free training provided by NHS Digital – the IT supplier for the national health service.

The survey also discovered there is a wide imbalance in employee cyber security training and spending between trusts; and that many trusts are likely to be failing to meet training targets on information governance.

“On average, NHS trusts employ just one qualified security professional per 2,582 employees,” Redscan said. “Nearly a quarter of trusts have no employees with security qualifications (24 out of 108 trusts), despite some employing as many as 16,000 full and part-time personnel.”

“Several NHS organisations that employee no qualified cybersecurity professionals reported having staff members in the process of obtaining relevant security qualifications – perhaps an indication of the difficulties of hiring trained professionals,” it said.

It found that NHS trusts spent an average of £5,356 on data security training, although a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools.

And spending on training varied significantly between trusts, from £238 to £78,000.

“These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances,” explained Redscan director of Cyber Security, Mark Nicholls.

“Individual trusts lack in-house cybersecurity talent and many are falling short of training targets; while investment in security and data protection training is patchy at best,” said Nicholls. “The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”

Expert take

With the NHS increasingly reliant on technology, the Redscan survey will be a cause for concern among professionals.

“As demonstrated by the Wannacry outbreak last year, NHS frontline services can be significantly impacted by cybersecurity issues,” noted Gavin Millard, VP of Intelligence at Tenable.

“It’s unlikely the NHS will ever have the same level of investment into security as other verticals, but basic cyber hygiene practices still need to be followed to ensure patient records remain private and services continue to be available,” said Millard. “Cyber Essentials is a good starting point, and can be achieved on a tight budget with the focus being more on foundational controls (patching, password policies etc.) than expensive tools.”

The charges allege that Park Jin Hyok carried out the attacks as part of a team known as the Lazarus Group under the auspices of North Korea’s government, although no North Korean officials have been named.